If you’re like the average organization, you have an untold number of SaaS apps floating around your corporate infrastructure. Sometimes an app is approved by IT. And other times, it’s not. To eliminate the consequences of Shadow IT, let’s dive into four hidden risks of Shadow IT that every IT professional should know.
What is Shadow IT?
At its most fundamental, Shadow IT is the use of IT-related hardware or software without the knowledge of IT or security within an organization.
It includes cloud services, software, and even hardware, like personal tablets or thumb drives.
The major concern, though, comes from SaaS.
What’s behind Shadow IT? Much to the chagrin of both IT and finance leaders, a major culprit is the ease of buying it.
In the 2022 G2 Software Buyer Behavior Report, research found that 56% of North American organizations prefer to purchase software with a credit card.
While other areas of the world aren’t as credit card dependent for software purchases, grabbing the card still makes up a substantial portion of SaaS sales. Forty percent of organizations in APAC and 41% in EMEA tend to buy using a credit card.
With that, time to shine some light on the dangers of Shadow IT.
Hazy SaaS stack visibility gives rise to Shadow IT
Not knowing your SaaS stack– and living without a real SaaS system of record -- introduces substantial risk, which we’ll cover next.
But first, let’s talk about a SaaS system of record or your single source of truth for your SaaS stack. Chances are, if you have a single source of truth, it’s on a spreadsheet.
Spreadsheets are generally the place to start. You manually add all the tools your employees use and then you track them manually. Sort of.
Even if your employees or finance teams actually tell you about them, once your organization scales either users or apps, you can guess what happens to that important file.
Over time and IT staffing changes, your spreadsheet-based SaaS system of record becomes its own unwieldy, risk-laden mess.
Risks of Shadow IT
Once your number of apps and users scale, your spreadsheet can be no match for Shadow IT. Instead, the dangers remain unchecked and continue to mount.
So now, let’s dig into the following risks:
- Financial
- Operational
- Security
- Compliance
Hidden Risk 1: Shadow IT makes it hard to control costs
Without a constant and close eye, new SaaS app accounts multiply quickly. Running unknown and unchecked, your software expenses can spiral.
After all, it’s the natural outcome of the ease of adding new (and often redundant) apps, use cases, and accounts.
The great thing about SaaS is that it enables employees to find and use the right tools they need to get the job done.
But it comes with some downsides.
Needless spending
Thanks to that credit card we talked about in the earlier section, some employees can add your organization’s third calendaring app and sixth project management tool.
And more likely than not, that new account for the exact same app - or something very similar - is already in use somewhere in the organization. And it all happens in five minutes.
Accidental renewals
Without the clear visibility that a SaaS system of record provides, it’s difficult to avoid costly “accidental renewals.”
How does this happen? Well, the SaaS sprawl comes with a sprawl of contracts, too. And no two contracts are the same. Buried in those contracts is a maze of different terms and conditions, key renewal dates and cancellation terms.
Thus, keeping track of it all takes a lot of time - which is something that the usual finance, procurement, or IT does not have.
This, of course, leads to the inadvertent missed key cancellation date. Then what happens? Your account automatically renews and you’re on the hook to pay for another term.
Finally, if employees aren’t using IT approved or sanctioned apps, it’s impossible to tell if the organization’s IT investments are paying off.
Hidden Risk 2: Shadow IT is an operational nightmare
SaaS apps in the shadows, by their very nature, aren’t recognized by IT.
If IT doesn’t even know they’re in use, they certainly can’t support them. Users are on their own to make the most of them.
Wasted time
In many cases, without organizational and IT support, an app is only a bill to pay that doesn’t add value. Too many users abandon an app that is “too hard to use,” go onto the next one, and they spend too much of their time trying to figure out software, not getting work done.
When users can manage without IT, what does this mean for IT and the rest of the organization?
Data silos and no backups
There are still other operational risks. For example, IT can’t create their own data backups, which may lead to data loss. Nor can an organization take advantage of the data resources within these unknown apps. This eliminates opportunities to share data and collaborate.
And Shadow IT creates another operational inefficiency: contract sprawl. SaaS vendor contracts that aren’t kept in a centralized place take too much time to find.
Hidden Risk 3: Shadow IT is a multi-dimensional security risk
Without security or IT approval, an employee can use a new SaaS app that unintentionally introduces a new and costly security threat or compliance violation.
Within minutes, a user can introduce:
- Security vulnerabilities. Software that isn’t approved by IT could have unpatched vulnerabilities and security errors. Such apps have weak spots that hackers will diligently find and exploit to steal sensitive data. Because IT doesn’t know about the app, they certainly can’t know about these vulnerabilities. They can’t manage the risk they can’t see.
- Security policy violations. There might be SaaS in your stack that IT doesn’t meet documented security policy requirements. For example, the app might have security technology or processes that don’t meet your requirements.
- Inappropriate data collection and/or sharing. This new app that your user signed up for might have improper data read/write permissions, collect and store sensitive data, or integrate with another app that stores sensitive data. Any one of these could compromise your organization’s sensitive data.
Hidden Risk 4: Shadow IT poses a compliance risk
Related to security risk is compliance risk. Security violations that result from not following documented security processes are obviously noncompliance.
But what other compliance risks lurk in your SaaS stack?
This will largely differ by company and industry, but there are some universal compliance requirements.
No app access approval processes
For example, it’s necessary to have a documented policy for app access approvals. Different apps will have different processes approved by different people. Without automated workflows it’s harder to follow app access approvals.
Hard to track vendor compliance certifications
It’s also important to know and track your SaaS vendors’ compliance certifications.
Let’s say your company is in the finance industry. To comply with your industry’s standards, you need to use SaaS vendors that have met certain compliance requirements like SOC 2.
Furthermore, you need to track your SaaS vendors’ compliance certification valid and expiration dates. You probably also need to keep your SaaS vendor contracts together in one place too.
Top Antidotes to Shadow IT Hidden Risks
There are a few essentials to combatting the risks of Shadow IT. You need to always know all the apps in your SaaS stack. And you need a centralized place to manage them.
Visibility and a SaaS System of Record
You need visibility into your entire SaaS stack. As soon as an app gets added and authorized with your domain, IT needs to know about it. After all, visibility reduces financial and security risks.
A single source of SaaS truth is key to reducing operational and compliance risks.
The Most Accurate Discovery Available
This means you need a management tool with a robust discovery process. Without accurately identifying all the SaaS tools in the stack, you can’t manage your stack costs, or your operational, security, or compliance risks.
To bring your IT out of the shadows, learn how the easy-to-use no-code G2 Track - with its unbeatable discovery process based on the G2.com product taxonomy - can help.
Learn more by downloading the IT Leader’s Mega-Guide to Saving on SaaS.
by Scott Julio
by Natalie Robb
by Mara Calvello